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(54) AES Encryption circuit 

(57) A round processing unit in an encryption circuit 
comprises: a first Round Key Addition circuit (204) that 
adds a round key value to input data; an intermediate 
register/Shift Row transformation circuit (206) that tem- 
porarily stores the output of the first Round Key Addition 
circuit (204) and executes Shift Row transformation; a 
Byte Sub transformation circuit (207) Into which the val- 
ues of the Intermediate register/Shift Row transforma- 
tion circuit (206) are inputted and which executes Byte 
Sub transformation; a second Round Key Addition cir- 
cuit (208) into which the values of the intermediate reg- 
ister/Shift Row iransformation circuit (206) are Inputted 



and which adds round key values; a Mix Column trans- 
formation circuit (210) that executes Mix Column trans- 
formation upon the outputs of the second Round Key 
Addition circuit (208); and a second selector (203) that 
outputs to the second Round Key Addition circuit (204) 
one of the outputs of a first selector (202), the Interme- 
diate register/Shift Row transformation circuit (206), the 
Byte Sub transformation circuit (207), and the Mix Col- 
umn transformation circuit (210). Such an encryption cir- 
cuit reduces a scale of circuit and can achieve a certain 
level of high-speed processing In the Implementation of 
the AES block cipher. 
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Description 

BACKGROUND OF THE INVENTION 
5 Technical Field 

[0001] The present Invention relates to an encryption circuit for Implementing in hardware the Rijndael algorithm, 
which is the next generation common key block encryption standard, known as the AES (advanced encryption stand- 
ard), and will replace the current common.key block encryption standard in the US, called DES. 

to 

Description of Related Art 

[0002] A great variety of services are being considered that involve the Internet, Including electronic commerce and 

electronic money. These technologies are used not just In the daily lives of individuals, but also in a wide range of 
is fields, Including transactions among corporations and improving productivity. In particular, it is expected that encryption 

functions will be loaded onto smart cards and mobile handsets, for the purpose of verifying the identity of individuals, 

and that these technologies will be widely used for authentication, digital signatures, and data encryption. 

10003] Common key cryptography is used In these applications to prevent third parties from tapping on the internet. 

The current standard adopted in the US for common key cryptography is DES; as its replacement, the AES (advanced 
20 encryption standard), known as the Rijndael algorithm, has been selected to be next generation common key block 

cryptography standard, and this algorithm is becoming the new standard. (The AES draft Is available at http://csrc.nist. 

gov/publicatlons/drafts/df ips-AES.pdf) 

[0004] AES is a block cipher for processing in block lengths of 128 bits, and the encryption algorithm, as shown in 
FIG. 1, is thought to be executable by an encryption circuit comprising a round function unit 20 and a key schedule 
25 unit 10. The round function unit 20 comprises an input reglster21 that temporarily stores input data, an XQR processing 
unit 22 that XORs the input data and expanded key segment, a round processing unit 23, a final round processing unit 
24 and an output register 25 that temporarily stores output data. 

[0005] The round processing unit 23 comprises a Byte Sub transformation unit 31 , a Shift Row transformation unit 
32, a Mix Column transformation unit 33 and a Round Key Addition unit 34; the final round processing unit 24 performs 
30 the processing of the round processing unit 23 except for the Mix Column transformation 33; it comprises a Byte Sub 
transformation unit 35, a Shift Row transformation unit 36 and a Round Key Addition unit 37. 
[0006] Round processing Iterated; the number of rounds Nr including the final round depends on the key length 
inputted into the key schedule unit 1 0, and is defined as shown in Table 1 . 

35 [Table 1] - 



Key Length and Number of Rounds 


Key Length 


Nr 


128bit 


10 


192brt 


12 


256bit 


14 



[0007] Thus for each key length round processing is executed Nr-t times, and at the end the final round processing 
is executed. When the key length is 128 bits, round processing is executed 9 times; when 192 bits, 11 times; and when 
256 bits, 13 times; and then in each case the final round processing Is executed. Round keys generated at the key 
schedule unit 10 are inputted into the XOR processing unit 22, round processing unit 23 and final round processing 
unit 24. 

[0008] The key schedule unit 10 generates round keys based on the key generation schedule specified In the AES 
draft; that algorithm Is shown in FIG. 2. 

[0009] The AES Proposal specification (AES Proposal: Rijndael, at http-y/csrc.nist.gov/encryptlon/aes/rijndael/Ri]n^ 
dael.pdf) introduces 2 hardware Implementations for AES block cipher circuits. 

[0010] One of these Is a method for hardware Implementation, in 12B bit units, of all the functions shown In FIG. 1 
as they are (hereinafter, "conventional example 1 u ). In this case, for encryption and decryption, the order of processing 
of the functions Is reversed, and thus It Is necessary to prepare separate processing circuits for encryption and de- 
cryption. 

[0011] Also, because, as shown in Tablo 1 , it is necessary to change the number of times round processing is exe- 
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cuted depending upon the key length, It is necessary to create circuits for each key length. 

[001 2] Furthermore, because of the reversal of order between encryption and decryption, the order of key generation 
in the key schedule unit 1 0forthe round keys used In the round function unit 20 has to be reversed between encryption 
and decryption. Therefore, either there has to be 2 separate key schedule units, for encryption and for decryption, or 

5 a method has to be devised for using the key schedule unit 1 0 for both encryption and decryption. 

[001 3] The second method, as shown in FIG. 3, involves creating a coprocessorBO that has a Byte Sub transformation 
unit 51 and a Mix Column transformation unit 52, and implementing in hardware only the Byte Sub transformation and 
the Mix Column transformation functions, and having all other functions incorporated as software into a program 41 , 
and then processing with a CPU 40 (hereinafter, "conventional example 2"). 

10 [0014] In this case, Byte Sub transformation and Mix Column transformation, which are unsulted for processing by 
the CPU 40 for reasons of processing time, are implemented in hardware as the coprocessor 50, and the other process- 
ing is processed by the program 41 stored in the CPU, thus allowing the circuit scale to be reduced. 
[0015] If we suppose that the AES block cipher is to be incorporated into a smart card or the like, the functions 
required of an encryption circuit would be to maintain a certain level of processing speed, while keeping the scale of 

is the circuit small. With these requirements, the conventionally proposed method of implementing all the functions in 
128-bit units results In the scale of circuit being too large : making the loading thereof onto a smart card difficult. With 
the method of Implementing In hardware only the Byte Sub transformation and the Mjx Column transformation, and 
processing the other functions with software, there is the problem of the processing speed requirements not being 
fulfilled. 

20 [0016] Moreover, with the key schedule unit 10 that generates the round keys, if all the round keys are stored in 
memory, a large-capacity memory is needed, and this would make the scale of circuit large. Therefore, in order to 
reduce the scale of circuit without reducing processing speed, it Is desirable to generate round keys with a circuit 
constitution that doe3 not require storing the entire expanded key in memory. 

25 SUMMARY OF THE INVENTION 

[001 7] It is an object of the present invention to present an encryption circuit that is small in scale and that can achieve 
a certain level of processing speed when implementing the AES block cipher. 

[0018] The present Invention provides an encryption circuit that generates from a cipher key a plurality of round keys 
so having a number of bits corresponding to a predetermined processing block length and executing, for each processing . 
block length, Input data and round key encryption/decryption processing, by means of a round function unit comprising 
an XOR operation unit that XORs the input data and one of the round keys and a round processing unit that iterates 
round- processing that includes Byte Sub transformation, Shift Row transformation, Mix Column transformation and 
Round Key Addition, wherein: 

35 the round processing unit comprises: a first selectorthat segments input data Into execution block lengths smallerthan 
the processing block length; a first Round Key Addition circuit that adds the round key value to input data for each the 
execution block length; an intermediate register/Shift Row transformation circuit that temporarily stores the output of 
the first Round Key Addition circuit and executes Shift Row transformation using the processing block length; a Byte 
Sub transformation circuit wherein the intermediate register/Shift Row transformation circuit value Is inputted for each 

40 the execution block length and Byte Sub transformation is executed; a second Round Key Addition circuit wherein the 
intermediate register/Shift Row transformation circuit value is Inputted for each the execution block length and the 
round key value Is added for each the execution block length; a Mix Column transformation circuit executing Mix Column 
transformation on the output of the second Round Key Addition circuit; and a second selector that outputs to the first 
Round Key Addition circuit one output from among the outputs of the first selector, intermediate register/Shift Row 

45 transformation circuit, Byte Sub transformation circuit, or Mix Column transformation circuit. 

[0019] Here, the execution block length can be a multiple of a bits, the processing block length can be 1 28 bits and 
the execution block tenglh can be 32 bits. 

[0020] Further, the key length of the cipher key can be any of 128 bits, 192 bits or 256 bits. 

[0021 ] Also, the Byte Sub transformation circuit can comprise a matrix operation unit for decryption that executes a 
so matrix operation on input data; a third selector that outputs either the Input data or the output of the matrix operation 
unit for decryption; an Inverse operation unit for executing an inverse operation on the data outputted from the third 
selector; a matrix operation unit for encryption that executes a matrix operation on the data outputted from the Inverse 
operation unit; and a fourth selector that outputs either the output of the inverse operation unit or the output of the 
matrix operation unit for encryption. 
55 [0022] Further, the matrix operation unit for decryption and the matrix operation unit for encryption comprises an 
XOR circuit so as to perform 8-blt operations at one dock cycle and the matrix operation unit for decryption and the 
matrix operation unit for encryption comprises an XOR circuit so as to perform 1-bit operations at one clock cycle. 
[0023] Also, the Intermediate register/Shift Row transformation circuit can be usedtorboth encryption and decryption 
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